The solution can’t be each school needs to do X, Y, and Z. It has to be looking at how do you get vendors to secure the quality of their products?
Daniel Castro, director, Center for Data Innovation
"That type of scenario has potential to get education to a better standard," said Castro. "The other challenge is authentication, and that goes beyond education as well. Without it, there’s not much you can do on the security side. I’m not terribly optimistic that the US is going to solve it, but schools can put more pressure to resolve those challenges."
Unfortunately, regulations haven't kept up with the pace of technology, said Steve Ritter, chief product architect at Carnegie Learning. "FERPA is a very old law. Even for the most well-intentioned people it's hard to map. It has this model where the school is providing data to the third party, but the school doesn't have the data and make a choice to send it to the vendor," Ritter said.
Two kinds of potential problems include technical security and standard practices of being encrypted so that data isn't sent unencrypted. There's also privacy protection in general.
Developing a common standard around how data is collected, for what purposes it is used, with whom it is shared, how it is stored, and how it is eliminated would help to bring everyone onto the same page because there seems to be some discrepancy over what kind of data has the greatest value.
A rule of thumb for best practices, said Ritter, "Don't collect any information that you don't need. You don't need to know gender, race, or if a student is eligible for free or reduced lunch. That's just a matter of being careful. If you get hacked, the consequences should be as minimal as possible."
Ken Koedinger, professor in the Human-Computer Interaction Institute at Carnegie Mellon's School of Computer Science said, "If vendors are using the data to improve the curriculum, they don’t need to know who the students are. If the data is vigorously de-identified, eliminating record and demographic information, we might not have so much to worry about."
Don't collect any information that you don't need. You don't need to know gender, race, or if a student is eligible for free or reduced lunch. If you get hacked, the consequences should be as minimal as possible.
Steve Ritter, chief product architect at Carnegie Learning
On the other hand, chief learning officer at Kaplan, Bror Saxberg, said, "There are ways to do rich analyses of large sets of data that anonymize and also protect identity of students while doing some very valuable work, which can lead you to understand how to personalize, but if the goal is to de-identify data, then don't collect data."
Sign up for CIO Asia eNewsletters.